Xero

0

Xero provides online accounting software and services for small and medium businesses. Xero is based in Wellington, New Zealand and has been providing its cloud service since 2007. With Xero, live support staff are available 24/7 via their online support portal or email. Xero encrypt all data in transit between your computer and their servers, but they may not encrypt your data while it is on their servers. Xero’s service is hosted in a Sydney data centre operated by Rackspace. Rackspace adheres to stringent security measures and has been independently audited to ensure your data is stored securely while still being easily available to you. These measures help Xero maintain its expected availability of over 99.99% (the Xero service is expected to be inaccessible less than 0.01% of the time). Xero allows you to easily import and export your data in a common, easily used format. Also, Xero verifies that all rights to your data remain yours, they make no claims to it. Upon account termination, Xero may permanently delete your data after 40 days or upon your request.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Xero
Company Website http://www.xero.com/
Company Phone Number
Company Email Address sales@xero.com
support@xero.com
Physical Address 19-23 Taranaki St
Te Aro
Wellington 6011
New Zealand

What services does this disclosure apply to?
Xero – Online Accounting Software
http://www.xero.com/

What country holds legal jurisdiction over the service(s)?
The legal jurisdiction for citizens of the US is California Law.
The legal jurisdiction for citizens of New Zealand is New Zealand Law.
The legal jurisdiction for citizens of Australia is Australian Law.
The legal jurisdiction for citizens of England & Wales is English & Welsh Law.

For more information, please review Section 10.5 of the Terms and Conditions:
http://www.xero.com/about/terms/

How long has your company been operating?
Since July 2006.

How long has your company been providing the service(s) covered in this disclosure?
Since August 2007.

Is your company currently profitable?
Xero is a publicaly traded company and is listed on the New Zealand Stock Exchange, which shows Xero capitalised at $1.1B NZD (as at March 2013).

https://www.nzx.com/markets/NZSX/securities/XRO

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
Support services are available 24 hours a day, 7 days a week.

What channels are available for communication with clients?
Email
support@xero.com

Online Support Portal
http://www.xero.com/support/

Which is your preferred channel for client communications?
We prefer the Online Support Portal at http://www.xero.com/support/

Do you collect any information from client communications?
Not available

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
If for any reason Xero has to interrupt the Services for longer periods than Xero would normally expect, Xero will use reasonable endeavours to publish in advance details of such activity on the Website.
http://www.xero.com/about/terms/

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Not available

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
Our service has been designed for high user availability, with redundancy built into every level of our hosting infrastructure, including redundant power, network, database and web servers. Our service availability performance stands at over 99.99% since launching the service in 2007.
http://www.xero.com/accounting-software/security/#dataProtectionAndBackup

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
No.
Xero gives no warranty about the Services. Without limiting the foregoing, Xero does not warrant that the Services will meet Your requirements or that it will be suitable for any particular purpose. To avoid doubt, all implied conditions or warranties are excluded in so far as is permitted by law, including (without limitation) warranties of merchantability, fitness for purpose, title and non-infringement.
http://www.xero.com/about/terms/

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Yes.
Passwords can be recovered via: https://login.xero.com/ForgottenPassword
This will email a password reset link to your associated email account.

Does the service monitor for any suspicious account activity?
Not available

Does your service offer two-step or multi-factor authentication?
Not available

Does your service offer login via other services?
No.

Does your service secure all client data in transit?
Yes.
Xero’s servers have SSL Certificates issued by leading certificate authorities Entrust & GTE Cybertrust, so all Data transferred between users and the Service is encrypted.
For more information refer to the “Your Data is sent securely across the Internet” section of the Xero Privacy Policy
http://www.xero.com/about/privacy/

Does your service secure client data at rest?
Not available

Does your service allow clients to collaborate with 3rd parties?
Transfer of data to any third parties can only occur with your consent and to organisations that provide adequate data protection.
http://www.xero.com/accounting-software/security/

Does your primary system reside in a data center with a security certification?
Xero is hosted by Rackspace with the primary system being hosted in the Sydney Data Centre. Our servers are located within Rackspace tier-4, enterprise grade hosting facilities. Access is restricted to authorised Rackspace staff by a combination of biometric systems and 24/7 onsite security guards, and is continually audited to meet SOC 1 Type II standards.
http://www.xero.com/accounting-software/security/
For more information, view the specifications at:
http://www.rackspacehosting.co.nz/company/sydney-data-centre-specifications.php

Rackspace’s general security controls can be viewed here:
http://www.rackspacehosting.co.nz/company/security.php

Does your backup/disaster recovery system reside in a data center with a security certification?
Not available

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
No.
Title to, and all Intellectual Property Rights in, the Data remain Your property. However, Your access to the Data is contingent on full payment of the Xero Access Fee when due. You grant Xero a licence to use, copy, transmit, store, and back-up Your information and Data for the purposes of enabling You to access and use the Services and for any other purpose related to provision of services to You.
Section 5.2 of the Terms & Conditions
http://www.xero.com/about/terms/

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Yes.
Title to, and all Intellectual Property Rights in, the Data remain Your property.
Section 5.2 of the Terms & Conditions
http://www.xero.com/about/terms/

Does client use of your service generate any metadata or other statistical information?
Yes.
Xero staff and key commercial partners can access non-identifying and aggregated usage information and transaction volumes in order to better understand how our customers are using the Service so we can improve the system design and where appropriate have the system prompt users with suggestions on ways to improve their own use of the system. All aggregated usage information is stored in a secure Xero data warehouse facility.
http://www.xero.com/about/privacy/

return to the top

Data Location

Where are the primary systems that host client data located?
The primary systems that host client data are located in Rackspace’s Sydney Data Centre:
http://www.rackspacehosting.co.nz/company/sydney-data-centre-specifications.php

Where are the backup/disaster recovery systems that host client data located?
Additional systems are located in Rackspace Data Centers throughout the world:
http://www.rackspacehosting.co.nz/company/our-data-centers.php

Are there any other systems that host client data on behalf of your service?
Xero utilizes Yodlee for automated bank account feeds.
For more information, view their terms here:
http://www.xero.com/about/yodlee-terms/

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Xero will give you access to Your Data at any time
Provided You have met Your obligations under the Service Terms of Use, on request Xero will provide You with a full export of the Data in a common file format determined by Xero.
http://www.xero.com/about/privacy/

Can the client freely download their data from the service during the contract period?
Client data can easily be imported into and exported out of Xero.
For more information, please refer to:
http://help.xero.com/#ImportExport

Can the client easily import/upload their data from a competing service provider into your service?
Client data can easily be imported into and exported out of Xero.
For more information, please refer to:
http://help.xero.com/#ImportExport

You don’t need to back up your data in Xero because we have strict security and backup procedures in place. However, if you do want to do a backup or get out data before you stop using Xero, you can export individual files from Xero. Xero doesn’t have an export-all-data-at-once function, or a read-only pricing plan (yet).
For more information, please refer to:
http://help.xero.com/#Q_DataOut

Does your services include an API to access client data?
Not available

Following termination of the service, will the client be able to access their data?
If you want to stop using Xero, you can do so at any time – there is no obligatory or contractual period. You will be billed up until the day you remove your organisation. In the future we expect to provide customers with a storage or archival service at a greatly reduced monthly fee. This will likely provide you read-only access to the existing organisation, meaning that you may not have to get your data out of Xero. Contact us if you would like to discuss this service. In the meantime there are a series of reports and other data you can export in order to obtain your own copy.
https://help.xero.com/#faq$BK_FAQ22

Following termination of the service, is all client data deleted?
Access to the Data may be permanently deleted by Xero 40 days after You stop paying for the Service or at Your request.
http://www.xero.com/about/privacy/

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
No one has access to your organisation unless invited by you and with a level of user permission selected by you. You can remove any invited users whenever you want. You also have the option to invite Customer Care, but it’s for support purposes only and completely at your discretion.
http://www.xero.com/accounting-software/security/

Also refer to “Xero monitors system usage” section of the Xero Privacy Policy for more information
http://www.xero.com/about/privacy/

Does your company use client data or information for any business function (other than the provision of the service)?
Xero staff and key commercial partners can access non-identifying and aggregated usage information and transaction volumes in order to better understand how our customers are using the Service so we can improve the system design and where appropriate have the system prompt users with suggestions on ways to improve their own use of the system. All aggregated usage information is stored in a secure Xero data warehouse facility.
http://www.xero.com/about/privacy/

Does your company use client data or information to generate revenue (other than the provision of the service)?
Not available

Do you access client data in any additional circumstance not yet specified in this disclosure?
No.

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Not available

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
All customer data is backed up daily. We also run a continuous off site data back-up service into a second Rackspace facility for further real-time data protection.
http://www.xero.com/accounting-software/security/#dataProtectionAndBackup

What method is used to perform service/client data backups?
All customer data is backed up daily. We also run a continuous off site data back-up service into a second Rackspace facility for further real-time data protection.
http://www.xero.com/accounting-software/security/#dataProtectionAndBackup

How long is backup data retained for?
Not available

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.